Fundamental flaws uncovered in Mega's encryption scheme — show the service can read your data
MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files — the researchers wrote on a website. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice, which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks — showcasing their practicality and exploitability.
https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/
#mega #vulnerability #cloud #data
MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files — the researchers wrote on a website. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice, which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks — showcasing their practicality and exploitability.
https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/
#mega #vulnerability #cloud #data
Ars Technica
Mega says it can’t decrypt your files. New POC exploit shows otherwise
Fundamental flaws uncovered in Mega's encryption scheme show service can read your data.
MEGA Security Update
https://blog.mega.io/mega-security-update
Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.
Who is potentially affected?
Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed.
Who could have exploited the vulnerability?
Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA.
What could have been the outcome?
Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack).
#mega #cloud #vulnerability
https://blog.mega.io/mega-security-update
Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.
Who is potentially affected?
Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed.
Who could have exploited the vulnerability?
Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA.
What could have been the outcome?
Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack).
#mega #cloud #vulnerability
Mega Blog
MEGA Security Update June 2022 - MEGA Blog
MEGA has released software updates to patch critical vulnerabilities discovered by researchers at ETH Zurich.
The Chain of Custody: The "Mafia" Holding The Elite's Bitcoin
The companies poised to dominate the digital financial infrastructure of Latin America have arisen courtesy of the self-described "mafia" multiplier, Endeavor. Flush with funds from billionaires linked to the US intelligence and organized crime, Endeavor's influence over the CEOs it has championed promises that, with the ushering in of a new financial system, a wave of covert dollarization will shortly follow.
Via @unlimitedhangout
#Mafia #Mossad #CIA #DeepState #SiliconValley #Epstein #Mega #StartUp #Capitalism #Endeavour
The companies poised to dominate the digital financial infrastructure of Latin America have arisen courtesy of the self-described "mafia" multiplier, Endeavor. Flush with funds from billionaires linked to the US intelligence and organized crime, Endeavor's influence over the CEOs it has championed promises that, with the ushering in of a new financial system, a wave of covert dollarization will shortly follow.
Via @unlimitedhangout
#Mafia #Mossad #CIA #DeepState #SiliconValley #Epstein #Mega #StartUp #Capitalism #Endeavour